<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>OpenID Connect authenticate API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-oidc-authenticate.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-oidc-authenticate.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-oidc-authenticate.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-oidc-authenticate.html" rel="nofollow" target="_blank">../en/security-api-oidc-authenticate.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">OpenID Connect authenticate API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-oidc-prepare-authentication.html">« OpenID Connect Prepare Authentication API</a>
</span>
<span class="next">
<a href="security-api-oidc-logout.html">OpenID Connect logout API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-oidc-authenticate"></a>OpenID Connect authenticate API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Submits the response to an oAuth 2.0 authentication request for consumption from
Elasticsearch. Upon successful validation, Elasticsearch will respond with an Elasticsearch internal Access
Token and Refresh Token that can be subsequently used for authentication.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-authenticate-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">POST /_security/oidc/authenticate</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-authenticate-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p>This API endpoint basically exchanges successful OpenID Connect Authentication
responses for Elasticsearch access and refresh tokens to be used for authentication.</p>
<p>Elasticsearch exposes all the necessary OpenID Connect related functionality via the
OpenID Connect APIs. These APIs are used internally by Kibana in order to provide
OpenID Connect based authentication, but can also be used by other, custom web
 applications or other clients. See also
<a class="xref" href="security-api-oidc-prepare-authentication.html" title="OpenID Connect Prepare Authentication API">OpenID Connect prepare authentication API</a>
and <a class="xref" href="security-api-oidc-logout.html" title="OpenID Connect logout API">OpenID Connect logout API</a></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-authenticate-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">redirect_uri</code>
</span>
</dt>
<dd>
  (Required, string) The URL to which the OpenID Connect Provider redirected the User Agent in
response to an authentication request, after a successful authentication. This
URL is expected to be provided as-is (URL encoded), taken from the body of the
response or as the value of a <code class="literal">Location</code> header in the response from the OpenID
Connect Provider.
</dd>
<dt>
<span class="term">
<code class="literal">state</code>
</span>
</dt>
<dd>
  (Required, string) Used to maintain state between the authentication request and the
response. This value needs to be the same as the one that was provided to the
call to <code class="literal">/_security/oidc/prepare</code> earlier, or the one that was generated by Elasticsearch
and included in the response to that call.
</dd>
<dt>
<span class="term">
<code class="literal">nonce</code>
</span>
</dt>
<dd>
  (Required, string) Used to associate a Client session with an ID Token and to mitigate
replay attacks. This value needs to be the same as the one that was provided to
the call to <code class="literal">/_security/oidc/prepare</code> earlier, or the one that was generated by
Elasticsearch and included in the response to that call.
</dd>
<dt>
<span class="term">
<code class="literal">realm</code>
</span>
</dt>
<dd>
  (Optional, string) Used to identify the name of the OpenID Connect realm that should
be used to authenticate this. Useful when multiple realms have been defined.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-authenticate-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following example request exchanges the response that was returned from the
OpenID Connect Provider after a successful authentication, for an Elasticsearch access
token and refresh token to be used in subsequent requests. This example is from
an authentication that uses the authorization code grant flow.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oidc/authenticate
{
  "redirect_uri" : "https://oidc-kibana.elastic.co:5603/api/security/oidc/callback?code=jtI3Ntt8v3_XvcLzCFGq&amp;state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
  "realm" : "oidc1"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2127.console"></div>
<p>The following example output contains the access token that was generated in
response, the amount of time (in seconds) that the token expires in, the type,
and the refresh token:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-oidc-prepare-authentication.html">« OpenID Connect Prepare Authentication API</a>
</span>
<span class="next">
<a href="security-api-oidc-logout.html">OpenID Connect logout API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>